Method of analyzing network attack situation
Abstract
Provided is a method for analyzing a network attack situation. The method categorizes network intrusion detection alerts into network attack situations, counts the frequency of same-featured intrusion alert occurrence for each network attack situation using a counting algorithm based on time slots, and analyzes the network attack situation based on the frequency of same-featured intrusion detection alert occurrence, the rate of same-featured intrusion detection alert occurrence, or an AND/OR combination of them. The network attack situation can be correctly detected in real time without relatively being influenced by the size of the network or amount of the occurrence of the intrusion detection alerts.
Claims
exact text as granted — not AI-modified1 . A method for analyzing network attack situations comprising:
categorizing network intrusion detection alerts into predetermined attack situations; counting the frequency of same-featured intrusion alert occurrence for each network attack situation using a counting algorithm which is time slot based; and analyzing network attack situations based on the the frequency of same-featured intrusion detection alert occurrence, the rate of same-featured intrusion detection alert occurrence, or an AND/OR combination of them.
2 . The method of claim 1 , wherein categorizing includes categorizing the network intrusion detection alerts based on attack name, source IP address, target IP address, and target service information into each network attack situation.
3 . The method of claim 1 , wherein counting comprises:
preparing a number of buckets equal to the dividing the analysis time interval by time slot units; sequentially recording the frequency of occurrence of the network attack situations occurring at each time slot in the bucket; and summing the frequency of occurrence recorded in the bucket.
4 . The method of claim 3 , wherein the recording includes recording the frequency of occurrence from the start of the bucket after recording the frequency of occurrence at the end of the buckets which are arranged consecutively.
5 . The method of claim 1 , wherein analyzing includes analyzing and categorizing the network attack situations into the three stages of warning, declaration, and confirmation.
6 . A computer readable recording medium in which a program for operating a method of analyzing network attack situations in a computer is recorded, the method comprising:
categorizing network intrusion detection alerts into predetermined network attack situations; counting a frequency of same-featured intrusion detection alert occurrence for each network attack situation using a counting algorithm based on time slots; and analyzing network attack situations based on the frequency of same-featured intrusion detection alert occurrence, the rate of same-featured intrusion detection alert occurrence, or an AND/OR combination of them.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.